CMMC Core Maintenance Packages by Duffy Compliance Services

Achieving a level 2 CMMC accreditation is a great milestone for any organization. It marks the beginning of your ongoing cyber activities to evolve with the threat landscape. But once you become certified, you must maintain that compliance.

The DCS CMMC Core maintenance packages are subscription-based services that address critical activities crucial to maintaining CMMC compliance and that must be performed annually for CMMC accreditation.

The maintenance packages are available in three service offerings. They range from basic activities to full virtual Chief Compliance Officer services where we manage the majority of your CMMC accreditation activities. Regardless of your certification, these activities are best practices to maintain a healthy cyber security posture.

Overall Value to You:

Reduces stress and burden of compliance

  • Great reduction in the stress and burden of maintaining CMMC compliance.
  • The higher the service level, the less you need to worry about.
  • CMMC requirements related to security assessments, risk assessments, and incident response testing are services we keep up to date for you.
  • We track the schedule and logistics of activities, so you don’t have to.
  • Be prepared for CMMC assessments or client requests for cybersecurity checks.
  • Independent, 3rd party performs the assessment by CAICO certified CMMC assessors. This arrangement helps you meet the CMMC Practice:
  • [“AC.L2-3.1.4- SEPARATION OF DUTIES- Separate the duties of individuals to reduce the risk of malevolent activity without collusion.”
  • [Some MSP’s may offer these services, but that is like the fox watching the hen house.

Saves Money

  • Easy to budget for because of our fixed costs offering.
  • Core and Core + include a bonus 1 hr/month of CMMC-related cybersecurity consult.
  • Removes direct staff costs of outsourcing every project event.

Saves Time

  • Reduces your staff’s assignments of ongoing compliance requirements so they can focus on core business activities, rather than ancillary tasks like assessments.

DCS CMMC Core Maintenance Offerings

Assess CMMC Controls:

We assess your organization against all 110 CMMC controls and 320 assessment objectives, spread out either quarterly or semi-annually. This assessment is a requirement of CMMC. Our program is designed to conduct this assessment over the course of the year to reduce headaches of an all-at-once assessment, which can cause major disruption to business activities.

Conduct Risk Assessments:

DCS will conduct an annual Risk Assessment of your business to identify potential threat actors, threat events, likelihood of threat events, and impact to systems and assets that directly relate to protecting CUI.

Test Incident Response Capabilities:

DCS will develop incident response scenarios and conduct an annual tabletop exercise to test your incident response preparedness. DCS will run the exercise and compile an after-action report that can be used to help improve your incident response processes.

Vulnerability Management:

This service provides an independent, unbiased review of the vulnerability scanning results. DCS will provide the analysis of the scan/assessment and provide recommendations on remediations as frequently as monthly. DCS can also perform vulnerability scanning services as an additional service.

Security Awareness Training:

DCS will provide you with annual security awareness training that covers general security awareness, role-based training, and insider threat training.

Virtual Chief Compliance Officer (vCCO):

The Chief Compliance Officer ensures that an organization adheres to laws, regulations, and internal policies relevant to its industry. This includes overseeing ethical standards, managing risk, and implementing compliance programs. In some cases, especially for smaller businesses or organizations with budget constraints, hiring a full-time, on-site CCO may not be cost effective. DCS can serve as a vCCO to provide compliance expertise on a more flexible basis.

POAM Management:

Through the course of maintaining your CMMC certification , there will be many assessments and tests that will identify new system modification/upgrades as well as any deficiencies and vulnerabilities within your system. For this service, DCS will take the lead and manage those action items for you. This includes hours for updating of CMMC related documentation as well as serving as the project manager for remediation that must be outsourced, such as fixes that must be performed by your Managed Service Provider (MSP).

CMMC Assessment Support:

DCS will support your company during the CMMC assessment process by helping you submit documentation to your chosen C3PAO, serve as the company liaison during the CMMC assessment process, and help remediate any POAM items identified during the CMMC assessment.

DCS CMMC Core Maintenance Offerings

Annual Assessment of all 110 CMMC Practices / 320 assessment objectives
Annual Risk Assessment
Annual IR tabletop Exercise
Vulnerability Management
Security Awareness Training
Virtual Chief Compliance Officer (vCCO)
POAM Management
CMMC Assessment Support
CMMC Maintenance Basic
CMMC Core
CMMC Core Premium

Assess CMMC Controls: We assess your organization against all 110 CMMC controls and 320 assessment objectives, spread out either quarterly or semi-annually. This assessment is a requirement of CMMC.  Our program is designed to conduct this assessment over the course of the year to reduce headaches of an all-at-once assessment, which can cause major disruption to business activities.

Conduct Risk Assessments: DCS will conduct an annual Risk Assessment of your business to identify potential threat actors, threat events, likelihood of threat events, and impact to systems and assets that directly relate to protecting CUI.

Test Incident Response Capabilities: DCS will develop incident response scenarios and conduct an annual tabletop exercise to test your incident response preparedness. DCS will run the exercise and compile an after-action report that can be used to help improve your incident response processes.

Vulnerability Management: This service provides an independent, unbiased review of the vulnerability scanning results. DCS will provide the analysis of the scan/assessment and provide recommendations on remediations as frequently as monthly. DCS can also perform vulnerability scanning services as an additional service.

Security Awareness Training: DCS will provide you with annual security awareness training that covers general security awareness, role-based training, and insider threat training.

Virtual Chief Compliance Officer (vCCO): The Chief Compliance Officer ensures that an organization adheres to laws, regulations, and internal policies relevant to its industry. This includes overseeing ethical standards, managing risk, and implementing compliance programs. In some cases, especially for smaller businesses or organizations with budget constraints, hiring a full-time, on-site CCO may not be cost effective. DCS can serve as a vCCO to provide compliance expertise on a more flexible basis.

POAM Management: Through the course of maintaining your CMMC certification, there will be many assessments and tests that will identify new system modification/upgrades as well as any deficiencies and vulnerabilities within your system.  For this service, DCS will take the lead and manage those action items for you. This includes hours for updating of CMMC related documentation as well as serving as the project manager for remediation that must be outsourced, such as fixes that must be performed by your Managed Service Provider (MSP).

CMMC Assessment Support: DCS will support your company during the CMMC assessment process by helping you submit documentation to your chosen C3PAO, serve as the company liaison during the CMMC assessment process, and help remediate any POAM items identified during the CMMC assessment.

Interested in learning more?

We help you navigate through regulatory compliance by removing the stress of the unknowns. We make sense of complex cybersecurity and compliance jargon and create best practices for you.

Contact Duffy Compliance today.

We can help as a Fractional Compliance Officer, CUI compliance, CMMC, Cyber Security Awareness Training, Supplier Performance Risk System (SPRS) Consulting, and more. We have several decades of cybersecurity and compliance experience in Maryland, the Greater Washington DC area, and beyond.